Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hi All! I have a general implementation question that I would like some help with (please let me know if there’s a better channel to post this). I have a javascript frontend and a separate go backend and I’m trying to figure out the best way to authenticate requests from javascript running on the client (<http://www.example.com|www.example.com>) to the api (<http://api.example.com|api.example.com>). One option is to share kratos cookies across sub-domains but this seems too open and could cause security problems in the future. Another option is to use hydra+kratos and implement the OAuth/OpenID `access_token` pattern but then maintaining the hydra oauth session and the kratos login session in-sync is a pain. A third option I’m considering is to have my kratos selfservice-ui automatically start and manage a hydra session on behalf of the client and share the `access_token` as stored metadata but this doesn’t seem to be a well established pattern. Do you have any suggestions on how to use kratos/hydra to authenticate cross-domain requests?